GNU bug report logs -
#71352
branch master updated: services: nix: Mount Nix store read only.
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 71352 in the body.
You can then email your comments to 71352 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#71352; Package
guix.
(Tue, 04 Jun 2024 02:35:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Tue, 04 Jun 2024 02:35:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hello,
guix-commits <at> gnu.org writes:
> services: nix: Mount Nix store read only.
>
> * gnu/services/nix.scm (nix-shepherd-service): Add requirements.
> (%nix-store-directory): New variable.
> (nix-service-type): Add file-system-service-type extension.
>
> Change-Id: I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49
This commit unfortunately appears to introduce a regression where
reconfiguring a system with the read-only /nix/store causes the
following error:
--8<---------------cut here---------------start------------->8---
guix system: error: chown: Système de fichiers accessible en lecture seulement
--8<---------------cut here---------------end--------------->8---
With the accompanying strace output:
--8<---------------cut here---------------start------------->8---
20261 close(17) = 0
20261 chown("/nix/store", 0, 981) = -1 EROFS (Système de fichiers accessible en lecture seulement)
20261 close(13) = 0
20261 write(2, "guix system: \33[1;31merror: \33[0m\33[1mchown\33[0m: Syst\303\250me de fichiers accessible en lecture seulement\n", 99) = 99
--8<---------------cut here---------------end--------------->8---
Are these chown still useful in the activation snippet?
--8<---------------cut here---------------start------------->8---
(define (nix-activation _)
;; Return the activation gexp.
#~(begin
(use-modules (guix build utils)
(srfi srfi-26))
(for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log"
"/nix/var/nix/gcroots/per-user"
"/nix/var/nix/profiles/per-user"))
(chown "/nix/store"
(passwd:uid (getpw "root")) (group:gid (getpw "nixbld01")))
(chmod "/nix/store" #o775)
(for-each (cut chmod <> #o777) '("/nix/var/nix/profiles"
"/nix/var/nix/profiles/per-user"))))
--8<---------------cut here---------------end--------------->8---
If they are useful only on the first time, perhaps we could catch the
exceptions for when it runs on an already read-only mounted /nix/store?
--
Thanks,
Maxim
Information forwarded
to
bug-guix <at> gnu.org:
bug#71352; Package
guix.
(Tue, 04 Jun 2024 08:49:02 GMT)
Full text and
rfc822 format available.
Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello Maxim,
Thank you for your report. Apologize for any inconvenience caused by
the unexpected breakage.
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:
> Hello,
>
> guix-commits <at> gnu.org writes:
>
>> services: nix: Mount Nix store read only.
>>
>> * gnu/services/nix.scm (nix-shepherd-service): Add requirements.
>> (%nix-store-directory): New variable.
>> (nix-service-type): Add file-system-service-type extension.
>>
>> Change-Id: I18a5d58c92c1f2b5b6dcecc3d5b439cc15bf4e49
>
> This commit unfortunately appears to introduce a regression where
> reconfiguring a system with the read-only /nix/store causes the
> following error:
>
> guix system: error: chown: Système de fichiers accessible en lecture seulement
>
>
> With the accompanying strace output:
>
> 20261 close(17) = 0
> 20261 chown("/nix/store", 0, 981) = -1 EROFS (Système de fichiers accessible en lecture seulement)
> 20261 close(13) = 0
> 20261 write(2, "guix system: \33[1;31merror: \33[0m\33[1mchown\33[0m: Syst\303\250me de fichiers accessible en lecture seulement\n", 99) = 99
>
>
> Are these chown still useful in the activation snippet?
>
> (define (nix-activation _)
> ;; Return the activation gexp.
> #~(begin
> (use-modules (guix build utils)
> (srfi srfi-26))
> (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log"
> "/nix/var/nix/gcroots/per-user"
> "/nix/var/nix/profiles/per-user"))
> (chown "/nix/store"
> (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01")))
> (chmod "/nix/store" #o775)
> (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles"
> "/nix/var/nix/profiles/per-user"))))
>
> If they are useful only on the first time, perhaps we could catch the
> exceptions for when it runs on an already read-only mounted /nix/store?
Indeed, it is a good idea.
A hotfix for the issue was discussed and implemented. It has already
been pushed to the master branch. The fix involves a simple
'file-exists?' check. You can find more details in the discussion at
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=71320
What do you think is preferable in this scenario – catching exceptions
or sticking with '(unless (file-exists? ...))'? Your thoughts on the
best approach here?
Regards,
Oleg.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#71352; Package
guix.
(Thu, 06 Jun 2024 02:05:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 71352 <at> debbugs.gnu.org (full text, mbox):
Hi Oleg,
[...]
>> Are these chown still useful in the activation snippet?
>>
>> (define (nix-activation _)
>> ;; Return the activation gexp.
>> #~(begin
>> (use-modules (guix build utils)
>> (srfi srfi-26))
>> (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log"
>> "/nix/var/nix/gcroots/per-user"
>> "/nix/var/nix/profiles/per-user"))
>> (chown "/nix/store"
>> (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01")))
>> (chmod "/nix/store" #o775)
>> (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles"
>> "/nix/var/nix/profiles/per-user"))))
>>
>> If they are useful only on the first time, perhaps we could catch the
>> exceptions for when it runs on an already read-only mounted /nix/store?
>
> Indeed, it is a good idea.
>
> A hotfix for the issue was discussed and implemented. It has already
> been pushed to the master branch. The fix involves a simple
> 'file-exists?' check. You can find more details in the discussion at
> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=71320
>
> What do you think is preferable in this scenario – catching exceptions
> or sticking with '(unless (file-exists? ...))'? Your thoughts on the
> best approach here?
Exceptions are usually better than 'check then do' as they avoid the
TOCTTOU (time-of-check to time-of-use) class of bugs/vulnerabilities.
By the way, 'Reported-by:' is a fine git trailer to use :-). I also use
'Fixes:' as a git trailer (trailer means they should be found at the
bottom of the commit message -- these can be parsed with the 'git
interpret-trailers' command)
--
Thanks,
Maxim
Reply sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility.
(Mon, 24 Jun 2024 02:49:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
bug acknowledged by developer.
(Mon, 24 Jun 2024 02:49:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 71352-done <at> debbugs.gnu.org (full text, mbox):
Hi Oleg,
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:
> Hi Oleg,
>
> [...]
>
>>> Are these chown still useful in the activation snippet?
>>>
>>> (define (nix-activation _)
>>> ;; Return the activation gexp.
>>> #~(begin
>>> (use-modules (guix build utils)
>>> (srfi srfi-26))
>>> (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log"
>>> "/nix/var/nix/gcroots/per-user"
>>> "/nix/var/nix/profiles/per-user"))
>>> (chown "/nix/store"
>>> (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01")))
>>> (chmod "/nix/store" #o775)
>>> (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles"
>>> "/nix/var/nix/profiles/per-user"))))
>>>
>>> If they are useful only on the first time, perhaps we could catch the
>>> exceptions for when it runs on an already read-only mounted /nix/store?
>>
>> Indeed, it is a good idea.
>>
>> A hotfix for the issue was discussed and implemented. It has already
>> been pushed to the master branch. The fix involves a simple
>> 'file-exists?' check. You can find more details in the discussion at
>> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=71320
>>
>> What do you think is preferable in this scenario – catching exceptions
>> or sticking with '(unless (file-exists? ...))'? Your thoughts on the
>> best approach here?
>
> Exceptions are usually better than 'check then do' as they avoid the
> TOCTTOU (time-of-check to time-of-use) class of bugs/vulnerabilities.
I'm closing this for now; I'm satisfied that working order has been
restored :-).
--
Thanks,
Maxim
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 22 Jul 2024 11:24:20 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 25 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.